This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

RDP connection drops intermittently

0

Hey Guys

Thanks for reading my questions, this forum is my last resort as I am out of ideas.

We have users that connect to a remote server outside of our network to perform some admin tasks and everything has been working fine until a few weeks ago. Users started complaining that their RDP session keeps freezing then drops completely with the error message "Your remote desktop services session has ended. The connection to the remote computer was lost, possibly due to network connectivity problems." I have tested this from multiple PCs and from multiple locations with the same result. The following was captured with Wireshark hopefully someone can shed some light on what's going on.

4145    213.992742000   source(my pc)   destination (remote server) TPKT    71  Continuation
4146    213.998031000   source(my pc)   destination (remote server) TPKT    981 [TCP Retransmission] Continuation
4167    219.778181000   source(my pc)   destination (remote server) TPKT    85  Continuation
4191    224.575355000   source(my pc)   destination (remote server) TPKT    1354    [TCP Retransmission] Continuation
4246    238.663506000   source(my pc)   destination (remote server) TCP 54  49322 > ms-wbt-server [RST, ACK] Seq=173138 Ack=27613 Win=0 Len=0

asked 19 Dec '12, 09:07

tlevin's gravatar image

tlevin
1111
accept rate: 0%

edited 19 Dec '12, 09:36

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

Well, 5 packets out of a complete stream is not a lot to go by when trying to find the source of the problem. But here goes anyway :-)

Assuming you captured near the client and that your capture and display filters did not filter out the packets coming from the server (you did see server packets earlier in the trace, didn't you?), then I would say that indeed the connection to the RDP server is interrupted. The client keeps sending data and retransmitting it, but it does not get a response (not even by an ACK at the TCP level) and finally shuts down the connection, which results in a TCP RST in frame 4246.

You might want to capture data on both the client side and the server side to verify that all packets do arrive at the RDP server.

I suspect there might be a statefull device (Firewall or LoadBalancer or similar) that might have dropped the session and now blocks traffic. What devices are on the path from the client to the RDP server?

answered 20 Dec '12, 02:50

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%